Critical Vulnerability Discovered in Ethereum’s Most Used Smart Contract – Trustnodes

Critical Vulnerability Discovered in Ethereum’s Most Used Smart Contract


Fairwin, eth based ponzi, Sep 2019

A critical vulnerability has been found in Fairwin, a ponzi scheme dapp that is currently ranking as ethereum’s biggest gas user.

“There is an exploit in the fairwin contract! Details will be disclosed in a few days, but black hats could find it easily! Everyone should stop using this contract, your funds are at risk!!!”

So says Griff Green of Slockit, a longtime eth developer. Details have apparently been revealed to a team of prominent eth developers known as the White Hat Group.

They have not yet been revealed publicly, but Green says a black hat coder could easily find it.

The effectiveness of exploiting this vulnerability is unclear as Ameen Soleimani, a dapp developer, says:

“You can attack it but not without risking your funds if the owners decide to drain it.”

That suggests there’s a backdoor of sorts where the contract owner can basically do whatever he/she wants.

This contract is used significantly, however, with a lot of money going to it. Multiple transactions sending 15 eth are not uncommon, with the design quite inefficient as it goes through a loop thousands of times.

That loop might be the ponzi part with this being a literal pyramid scheme promising as much as 1% a day, they say:

“Membership level is V1, V2, V3, 1-5 ETH is V1, 6-10 ETH is V2, 11-15 ETH is V3.

Income from equity: daily dividend of V1 is 0.5%, daily dividend of V2 is 0.7%, and daily dividend of V3 is 1%.

Node reward: V1: only get the first generation reward, 50% of the daily dividend of the first generation, V2: only get the second generation reward, 70% of the daily dividend of the first generation, 50% of the daily dividend of the second generation, V3: get the unlimited generation reward, 100% of the daily dividend of the first generation, 70% of the daily dividend of the second generation, 50% of the daily dividend of the third generation, 10% of the daily dividend of the fourth generation to the tenth generation, 5% of the daily dividend of the 11-20 generation and more than 1% of the daily dividend.”

At some point the contract reaches zero as old “investors” are paid by new investors with nothing left anymore. At that point, this all then restarts.

For obvious reasons it’s quite unclear who is behind this contract. Their “official” website does list some team, but that looks very fake because the names are identical to another project, although not the pictures.

We are not familiar with this other project. Nor do we know whether these people actually exist in the identity presented. We suspect they don’t because PHDs from Cambridge Uni tend to have some online presence. Here there’s none.

Using same names, however, is a bit sloppy or more probably quite intentional as they might not want very smart people to play with their smart contract, so making it all a bit obvious with an advert from Fairwin saying “the guarantee is guaranteed.”

What that translated to in Chinese is unclear, but suggestions are this is a project from Asia and apparently it’s popular there.

Whether there’s any truth to the latter part we do not know. This could all be the contract owner faking much to get attention, which he/she has now clearly gained because they’re eating currently 50% of all eth gas and at some point reached even 70%.

An interaction with this smart contract, however, can cost as much as $30. So faking it would be a pretty expensive exercise.

Making it likely this is legit activity and we suspect it might be from a team or dev that last year pretty much copy cloned Fomo3d.

If you remember the latter, that was some time based ponzi scheme, with LastWinner being the Chinese version.

There isn’t much evidence for our speculation save for they kind of have the same feel, so it is probable this too will fizzle out once the first ponzi round ends.

That might take some time as the contract currently has 54,000 eth, worth about $9 million, but once it turns around it would probably do so somewhat quickly with this maybe being the peak now or near there.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>